You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/openshift/howto-enable-nsg-flowlogs.md
+6-6Lines changed: 6 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -11,7 +11,7 @@ keywords: azure, openshift, aro, red hat, azure CLI
11
11
#Customer intent: I need to create and use an Azure service principal to restrict permissions to my Azure Red Hat OpenShift cluster.
12
12
---
13
13
14
-
# Enable NSG flow logs
14
+
# Enable Network Security Group flow logs
15
15
16
16
Flow logs allow you to analyze traffic for Network Security Groups in specific regions that have Azure Network Watcher configured.
17
17
@@ -36,25 +36,25 @@ Create a storage account for storing the actual flow logs. It must be in the sam
36
36
The service principal used by the cluster needs the [proper permissions](../network-watcher/required-rbac-permissions) in order to create necessary resources for the flow logs and to access the storage account.
37
37
The easiest way to achieve that is by assigning it the network administrator and storage account contributor role on subscription level. Alternatively, you can create a custom role containing the required actions from the page linked above and assign it to the service principal.
38
38
39
-
To get the service principal ID, run
39
+
To get the service principal ID, run the following command:
40
40
```
41
41
az aro show -g {ResourceGroupName} -n {ClusterName} --query servicePrincipalProfile.clientId -o tsv
42
42
```
43
-
and use the output to get the object ID.
43
+
Use the output of the above command to get the object ID:
44
44
```
45
45
az ad sp show --id XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX --query id --out tsv
46
46
```
47
-
To assign network admin:
47
+
To assign network admin, run the following command:
48
48
```
49
49
az role assignment create --assignee "{servicePrincipalObjectID}" --role "4d97b98b-1d4f-4787-a291-c67834d212e7" --subscription "{subscriptionID}" --resource-group "{networkWatcherResourceGroup}"
50
50
```
51
-
To assign storage account contributor:
51
+
To assign storage account contributor, run the following command:
52
52
```
53
53
az role assignment create --role "17d1049b-9a84-46fb-8f53-869881c3d3ab" --assignee-object-id "{servicePrincipalObjectID}"
54
54
```
55
55
See [this page](../role-based-access-control/built-in-roles) for IDs of built-in roles.
56
56
57
-
-Create a spec like this or update the existing one to contain spec.nsgFlowLogs in case you are already using another preview feature:
57
+
Create a spec as in the following example, or update the existing spec to contain `spec.nsgFlowLogs` in case you are already using another preview feature:
0 commit comments